diff mbox series

[1/4] package/openjdk: fix hash

Message ID 20200417232922.3762195-1-aduskett@gmail.com
State Rejected
Headers show
Series [1/4] package/openjdk: fix hash | expand

Commit Message

Adam Duskett April 17, 2020, 11:29 p.m. UTC 
From: Adam Duskett <Aduskett@gmail.com>

The hash should be
6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/openjdk/openjdk.hash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Thomas Petazzoni April 18, 2020, 10:01 a.m. UTC | #1 
On Fri, 17 Apr 2020 16:29:19 -0700
aduskett@gmail.com wrote:

> From: Adam Duskett <Aduskett@gmail.com>
> 
> The hash should be
> 6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634

No, the hash was
6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634, and
it is now
fcd13ebd63d40c1c2f3cabfb7bc368962ff7b5935523be2a0e769352987145ae.

But still, why do you fix hashes like that, without investigating at
least a little bit what's going on? How come we committed a wrong hash?
How come there are no build failures related to this incorrect hash?

If you look at
http://autobuild.buildroot.net/results/0a4/0a4608828365df301114b533d6b59a4733599d94/build-end.log,
you will see why:

 - We download from the original upstream location, and indeed the hash
   of the upstream tarball is
   fcd13ebd63d40c1c2f3cabfb7bc368962ff7b5935523be2a0e769352987145ae,
   but we expect
   6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634

 - So we fallback to sources.buildroot.net, and here the tarball has
   the expected hash, i.e
   6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634

So this means that:

 (1) Upstream changed the contents of their tarball, which is really
     BAD and we want to understand what are the changes. So you should
     diff the new upstream  tarball, and the tarball that we have in
     sources.buildroot.net and investigate the differences.

 (2) We need to notify upstream that this is really bad.

 (3) You can't change the hash just like this, because it would mean
     that the hash would no longer match with the tarball we have
     backed up on sources.buildroot.net.

If we have hashes, it's not to blindly update them. We have hashes
precisely to detect that kind of situation, so if you blindly update
the hashes without doing any investigation, it makes it completely
useless to have hashes.

Thomas
diff mbox series

Patch

diff --git a/package/openjdk/openjdk.hash b/package/openjdk/openjdk.hash
index d5be642052..07bf4d5479 100644
--- a/package/openjdk/openjdk.hash
+++ b/package/openjdk/openjdk.hash
@@ -1,3 +1,3 @@ 
 # Locally computed
-sha256 6815dbac7dd0f86291254e84ed17565c89477eeb6b0847a9648b00ecb4f07634  jdk-14+36.tar.gz
+sha256 fcd13ebd63d40c1c2f3cabfb7bc368962ff7b5935523be2a0e769352987145ae  jdk-14+36.tar.gz
 sha256 4b9abebc4338048a7c2dc184e9f800deb349366bdf28eb23c2677a77b4c87726  LICENSE